]j6<dZddlZddlZddlZddlZddlZddlZddlmZm Z m Z ddl m Z ddl m Z e rddlZddlZej"eZej(dZej,dZej,d Zej,d Zej,dZd ZGd deZGddeZGddej>Z GddeZ!y)z2Utilities for Regional Access Boundary management.N) NamedTupleOptional TYPE_CHECKING)_helpers)environment_varsctjjtj}|y|j dvS)anChecks if Regional Access Boundary is enabled via environment variable. The environment variable is interpreted as a boolean with the following (case-insensitive) rules: - "true", "1" are considered true. - Any other value (or unset) is considered false. Returns: bool: True if Regional Access Boundary is enabled, False otherwise. F)true1)osenvirongetr"GOOGLE_AUTH_TRUST_BOUNDARY_ENABLEDlower)values U/root/env/lib/python3.12/site-packages/google/auth/_regional_access_boundary_utils.py#is_regional_access_boundary_enabledr#s6 JJNN+NN OE } ;;=M )))hours)minuteszx-allowed-locationsceZdZUdZeeed<eejed<eejed<ejed<y)_RegionalAccessBoundaryDataaData container for a Regional Access Boundary snapshot. Attributes: encoded_locations (Optional[str]): The encoded Regional Access Boundary string. expiry (Optional[datetime.datetime]): The hard expiration time of the boundary data. cooldown_expiry (Optional[datetime.datetime]): The time until which further lookups are skipped. cooldown_duration (datetime.timedelta): The current duration for the exponential cooldown. encoded_locationsexpirycooldown_expirycooldown_durationN) __name__ __module__ __qualname____doc__rstr__annotations__datetime timedeltarrrrHsA }$ X&& ''h//00)))rrcNeZdZdZdZdZdZdZdZd dZ d Z d Z d Z d Z y)_RegionalAccessBoundaryManagerzManages the Regional Access Boundary state and its background refresh. The actual data is held in an immutable `_RegionalAccessBoundaryData` object and is swapped atomically to ensure thread-safe, lock-free reads. ctdddt|_t|_t j |_d|_y)NrrrrF) r)DEFAULT_REGIONAL_ACCESS_BOUNDARY_COOLDOWN_data%_RegionalAccessBoundaryRefreshManagerrefresh_manager threadingLock _update_lock-_use_blocking_regional_access_boundary_lookupselfs r__init__z'_RegionalAccessBoundaryManager.__init___s?0" G   EF%NN,=B:rcD|jj}d|d<|S)z9Pickle helper that serializes the _update_lock attribute.Nr2__dict__copyr5states r __getstate__z+_RegionalAccessBoundaryManager.__getstate__js# ""$ $n rcl|jj|tj|_y)z;Pickle helper that deserializes the _update_lock attribute.N)r9updater0r1r2r;s r __setstate__z+_RegionalAccessBoundaryManager.__setstate__ps# U#%NN,rct|tstS|j|jk(xr|j|jk(S)z!Checks if two managers are equal.) isinstancer)NotImplementedr-r3)r5others r__eq__z%_RegionalAccessBoundaryManager.__eq__usF%!?@! ! JJ%++ % CBBBBC rcd|_y)zEnables blocking Regional Access Boundary lookup. When enabled, the Regional Access Boundary lookup will be performed synchronously in the calling thread instead of asynchronously in a background thread. TN)r3r4s renable_blocking_lookupz5_RegionalAccessBoundaryManager.enable_blocking_lookups >B:rNc<|sd}t||dt|_y)aIManually sets the regional access boundary to the client provided seed. Args: encoded_locations (Optional[str]): The encoded locations string. expiry (Optional[datetime.datetime]): The expiry time for the boundary. If encoded_locations is not provided, expiry is ignored. Nr+)rr,r-)r5rrs r$set_initial_regional_access_boundaryzC_RegionalAccessBoundaryManager.set_initial_regional_access_boundarys$!F0/ G   rc|j}|jrA|j5tj|jkr|j|t <y|j t dy)a\Applies the Regional Access Boundary header to the provided dictionary. If the boundary is valid, the 'x-allowed-locations' header is added or updated. Otherwise, the header is removed to ensure no stale data is sent. Args: headers (MutableMapping[str, str]): The headers dictionary to update. N)r-rrrutcnow _REGIONAL_ACCESS_BOUNDARY_HEADERpop)r5headersrab_datas r apply_headersz,_RegionalAccessBoundaryManager.apply_headerssR::  % % OO 'HOO,=,O8@8R8RG4 5 KK8$ ?rcr|j}|jr5|jr)tj|jt z kry|j r"tj|j kry|jr|j||y|jj|||y)aStarts a background thread to refresh the Regional Access Boundary if needed. Args: credentials (google.auth.credentials.Credentials): The credentials to refresh. request (google.auth.transport.Request): The object used to make HTTP requests. N) r-rrrrK*REGIONAL_ACCESS_BOUNDARY_REFRESH_THRESHOLDrr3start_blocking_refreshr/ start_refresh)r5 credentialsrequestrOs rmaybe_start_refreshz2_RegionalAccessBoundaryManager.maybe_start_refreshs::  & &!!KKM   # #(9H  1 &::L,$A$E$E&%! ;&7#??,/SS$(&O   ..w7MM"OP..w7OOT OO% (F(FF%*- 22Q69*& &&8??+<|?R?R+R-1*"&K-9-K-K*"."5"5K:&<&$8&<   &DJc1 &1 &1 &s EEE&)NN)rr r!r"r6r=r@rErGrIrPrWrSrar'rrr)r)Xs> C -  B $@&K8R:8&rr)c6eZdZdZ dfd ZdZxZS)$_RegionalAccessBoundaryRefreshThreadzAThread for background refreshing of the Regional Access Boundary.cZt|d|_||_||_||_y)NT)superr6daemon _credentials_request _rab_manager)r5rUrV rab_manager __class__s rr6z-_RegionalAccessBoundaryRefreshThread.__init__$s.  ' 'rc |jj|j}|jj|y#t$r=}t j t rt jd|dd}Yd}~]d}~wwxYw)a Performs the Regional Access Boundary lookup and updates the state. This method is run in a separate thread. It delegates the actual lookup to the credentials object's `_lookup_regional_access_boundary` method. Based on the lookup's outcome (success or complete failure after retries), it updates the cached Regional Access Boundary information, its expiry, its cooldown expiry, and its exponential cooldown duration. zDAsynchronous Regional Access Boundary lookup raised an exception: %sTrZN) rvr\rwr]rr^r_r`rxra)r5rbrcs rrunz(_RegionalAccessBoundaryRefreshThread.run0s 1!!BB4==Q * ?? )  1**73Z!  -1 ) 1s%A B  3BB )rUz=google.auth.credentials.CredentialsWithRegionalAccessBoundaryrVzgoogle.auth.transport.Requestryr))rr r!r"r6r| __classcell__)rzs@rrrrr!s,K (T (1 (6 ( rrrc(eZdZdZdZdZdZdZy)r.zKManages a thread for background refreshing of the Regional Access Boundary.cDtj|_d|_y)N)r0r1_lock_workerr4s rr6z._RegionalAccessBoundaryRefreshManager.__init__Rs^^%  rcN|jj}d|d<d|d<|S)z?Pickle helper that serializes the _lock and _worker attributes.Nrrr8r;s rr=z2_RegionalAccessBoundaryRefreshManager.__getstate__Vs, ""$gi rcz|jj|tj|_d|_y)zAPickle helper that deserializes the _lock and _worker attributes.N)r9r?r0r1rrr;s rr@z2_RegionalAccessBoundaryRefreshManager.__setstate__]s) U#^^%  rc|j5|jr$|jjr dddy tj|}t||||_|jjdddy#t $rA}t jtrtjd|Yd}~dddyd}~wwxYw#1swYyxYw)a Starts a background thread to refresh the Regional Access Boundary if one is not already running. Args: credentials (CredentialsWithRegionalAccessBoundary): The credentials to refresh. request (google.auth.transport.Request): The object used to make HTTP requests. rab_manager (_RegionalAccessBoundaryManager): The manager container to update. NzCould not deepcopy transport for background RAB refresh. Skipping background refresh to avoid thread safety issues. Exception: %s) rris_aliver:deepcopyr]rr^r_r`rrstart)r5rUrVrycopied_requestrcs rrTz3_RegionalAccessBoundaryRefreshManager.start_refreshcsZZ !|| 5 5 7 ! ! !%w!7@^[DL LL   ) ! ! ..w7OO(   ! !  ! !s4(CB ,C C/CCCCCN)rr r!r"r6r=r@rTr'rrr.r.OsU !rr.)"r"r:r% functoolsloggingr r0typingrrr google.authrrgoogle.auth.credentialsgooglegoogle.auth.transport getLoggerrr_ lru_cacherr&rgrRr,rjrLrobjectr)Threadrrr.r'rrrs9  66 (" '  H %**&(:x'9'9'B$.@X-?-?a-H*-?H,>,>r,J));(:(:(C%$9  ** * F&VF&R+ 9+;+;+ \3!F3!r